PatchSiren cyber security CVE debrief

CVE-2024-47659 Siemens CVE debrief

A vulnerability in the Smack Linux Security Module's TCP/IPv4 labeling implementation allows packets to be incorrectly labeled, potentially enabling unauthorized data writing from one security label to another. This flaw affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC/XR/XCM/XRM/XCH/XRH families. The vulnerability stems from improper handling of TCP/IPv4 packet labeling within the Smack security framework, which is designed to provide mandatory access control. When exploited, this could allow network traffic to bypass intended security boundaries between different Smack labels, compromising the isolation that the security module is meant to enforce. The CVSS 3.1 score of 5.5 (Medium severity) reflects local attack vector, low attack complexity, and low privileges required, with high availability impact but no confidentiality or integrity impact per the scoring vector. Siemens has released updates to address this vulnerability, with version 3.2 or later containing the necessary fixes.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial networking equipment in critical infrastructure environments, including energy, manufacturing, transportation, and water/wastewater sectors. Security teams responsible for OT/ICS network segmentation and mandatory access control enforcement should prioritize this update. System integrators and maintenance providers supporting Siemens industrial networks should review affected product deployments and coordinate firmware updates during planned maintenance windows.

Technical summary

The vulnerability exists in the Smack (Simplified Mandatory Access Control Kernel) Linux Security Module's handling of TCP/IPv4 packet labeling. Smack assigns labels to processes and data, enforcing access control based on these labels. The flaw allows packets to receive incorrect labels during TCP/IPv4 processing, which can result in traffic being permitted between security domains that should be isolated. This breaks the fundamental security guarantee of mandatory access control systems— that data cannot flow from a higher sensitivity label to a lower one without explicit authorization. The affected Siemens products utilize SINEC OS, which incorporates the vulnerable Smack implementation. The local attack vector suggests exploitation requires local network access or compromised local processes. The high availability impact in the CVSS scoring indicates that successful exploitation may disrupt system availability, though the confidentiality and integrity impacts are scored as none in the base metric.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates to version 3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products
Verify Smack security module configuration on affected systems to ensure proper label enforcement
Monitor network traffic for anomalous patterns that may indicate label bypass attempts
Implement network segmentation to limit exposure of affected industrial control systems
Review and apply CISA ICS recommended practices for defense-in-depth strategies
Consult Siemens ProductCERT advisory SSA-355557 for product-specific remediation guidance

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with availability impact. Remediation guidance specifies update to V3.2 or later for affected products.

Official resources

2025-08-12